The part about the lan domain is to forward all queries of .lan to dnsmasq. This way we can query the hostnames connected by DHCP with hostname.lan. Best of both worlds!

If your device doesn’t have a hardware clock, you should add something like this to your /etc/rc.local or to the unbound init script. This way, the certificates don’t fail to validate because wrong dates: